UN OEWG concludes, paving way for permanent cybersecurity mechanism

Discussions on emerging and existing threats reflected growing concern among states over the evolving complexity of the cyber threat landscape, with particular attention to ransomware, commercially available intrusion tools, and the misuse of AI and other emerging technologies. While there was broad recognition of new risks, debates emerged around how far the OEWG’s mandate should extend—especially regarding cybercrime, disinformation, and data governance—and how to balance security concerns with development priorities and international legal frameworks.

Promoting peaceful use of ICTs – or acknowledging the reality of cyber conflict?

One of the key tensions in the final OEWG discussions on emerging cyber threats was the clash between aspiration and reality—specifically, whether the report should promote the use of ICTs for exclusively peaceful purposes or instead focus on ensuring that their use, even in conflict, is constrained by international law.

Several countries argued that the time for idealistic appeals is over. ICTs are already being used in conflicts and hybrid operations, often below the threshold of armed conflict, combining cyber activities with other non-conventional tools of influence. These states (including the USA, Italy, El Salvador, and Brazil) emphasised that acknowledging this reality is essential to advancing responsible behaviour. Malicious cyber operations, often attributed to state-sponsored actors, have targeted critical civilian infrastructure and democratic institutions (as noted by Albania). 

Therefore, these countries pushed to remove or soften references to the exclusive peaceful use of ICTs. Their priority was to reassert that when ICTs are used, including in conflict contexts, their use must comply with international humanitarian law (IHL) and broader international law. In this context, there was also a call to reaffirm the obligation to protect civilians from harm during cyber operations in armed conflict—reflected in the Resolution on protecting civilians and other protected persons and objects against potential human costs of ICT activities during armed conflict, adopted by the 34th International Conference of the Red Cross and Red Crescent in October 2024 (referenced by Switzerland and Brazil).

On the other side, a group of states insisted on keeping strong language around the exclusive peaceful use of ICTs (such as Iran, Pakistan, Indonesia, Cuba, and China). They feared that weakening this reference could be interpreted as legitimising the use of force in cyberspace. While some of these countries acknowledged that ICTs have been used in conflict, they consider reaffirming the peaceful-use principle as a necessary political signal—a way to reinforce global norms and discourage militarisation of cyberspace. China, for example, pointed out that the principle of ‘exclusively peaceful purposes’ has long been part of the OEWG consensus and should remain as a shared aspiration.

Cybercrime and international security: A growing intersection?

Another divisive debate was whether cybercrime belongs in a process focused on international peace and security. A broad group of delegations—including the EU, USA, Canada, UK, Switzerland, Brazil, El Salvador, and Israel—argued that cybercrime has become part of this agenda too. They emphasised the growing role of criminal actors operating in alignment with state interests or from state territories with impunity. According to this group, the cybercriminal ecosystem—offering tools, malware, and even full-spectrum capabilities—is increasingly exploited by state-backed actors, blurring the lines between criminal activity and state behavior. Ignoring this overlap, they warned, would be negligent. 

In contrast, Russia, China, Iran, Cuba, Belarus, and several others opposed including cybercrime in the report. They insisted that criminal acts in cyberspace are distinct from those that threaten international peace and should remain within specialised forums such as the Ad Hoc Committee on Cybercrime. Equating the two, they argued, risks expanding the OEWG’s mandate beyond its intended scope.

Ransomware was one of the few specific threats that saw wide support for inclusion. Countries like the USA, Canada, the UK, Germany, the Netherlands, Brazil, Malawi, Croatia, Fiji, and Qatar stressed that ransomware poses a growing threat to national security and critical infrastructure, and requested that it be addressed with a dedicated paragraph in the Final Report. Several African states (including Nigeria on behalf of the African Group) noted its damaging impact on state institutions and regional bodies. Costa Rica pointed to the disruption of essential services, while Germany called for further discussion on applicable norms and legal frameworks, and Cameroon called for targeted capacity-building and cooperation—including through regional mechanisms like AFRIPOL. A human-centric approach was proposed by Malawi, Colombia, the Netherlands, and Fiji, while others (Russia, China) warned against overemphasising ransomware and argued it remains within the domain of cybercrime discussions.

A number of countries (Canada, the USA, Japan, the UK, Australia, South Korea, Malaysia, Qatar, and Pakistan) confirmed concerns about cryptocurrency theft and its role in financing malicious cyber operations, seeing this as a growing security issue. Others, notably Russia and Iran, pushed back, arguing that this—like cybercrime and other socioeconomic topics—falls outside the OEWG’s mandate.

Critical infrastructure: Shared concern, differing priorities

The protection of critical infrastructure (CI) and critical information infrastructure (CII) emerged as a shared concern in the OEWG discussions, especially for developing countries. Many states—particularly from Africa and the Pacific—highlighted how increased digitalisation and foreign investment in infrastructure have heightened their exposure to cyber threats. Malawi pointed to a breach in its passport issuance system in 2024, while Costa Rica recalled the crippling impact of cyberattacks on public services. For these states, safeguarding CI is not only a national security issue but essential for social and economic resilience.

Several delegations, including Croatia and Thailand, stressed the vulnerability of CI to criminal and advanced persistent threats (APTs). Croatia warned of non-state actors targeting weakly protected systems—the ‘low-hanging fruit’—especially in countries with limited defences, calling for capacity building that avoids deepening the gap between developed and developing countries. Thailand emphasised that APTs can severely disrupt essential services, with potentially cascading effects on national stability. The importance of tailored assistance to protect CI, including cross-border infrastructure like undersea cables, was echoed by the EU, the USA, the Pacific Islands Forum, and Malawi—underscoring the global stakes involved. Ghana and Fiji underlined that each state must determine for itself what qualifies as critical. Russia opposed listing specific sectors—like healthcare, energy, or finance—in the final text, arguing such references could imply a one-size-fits-all approach. Meanwhile, Israel proposed adding the word ‘malicious’ before ‘ICT attacks’ in the report—it was not explained, though, if there are non-malicious attacks, but an edit was ultimately accepted.

The EU and the USA also highlighted political risks, including threats to democratic institutions and electoral processes, while the USA raised concerns about pre-positioning of malware within CI by potential adversaries, though the lack of consensus kept this issue out of the final report. Still, the overall discussion reflected growing agreement that CI protection must be a core focus of future international cooperation, with stronger commitments and action-oriented measures.

Commercial intrusion tools: A market of growing concern

A particularly vivid discussion continued around the risks posed by the growing global market for commercial ICT intrusion capabilities, or spyware. Several delegations (the EU, the UK, South Korea) explicitly recognised this market as a growing threat to international security, but also to intellectual property (the EU). Ghana drew attention to the Pall Mall process—an initiative aimed at curbing irresponsible proliferation of such tools—as a complementary effort that should inform the OEWG’s work. Brazil and others emphasised the risk of irresponsible use, while Israel raised the issue of the ‘illegitimate dissemination’ of such tools—implicitly suggesting that their spread can sometimes be legitimate, depending on context. 

Debates intensified around conditions for lawful use. A range of countries (South Africa, Iran, France, Australia, Fiji, the UK) stressed that any use must be consistent with international law, legitimate and necessary, and—in some views—aligned with the UN framework on responsible state behaviour. 

However, Russia and Iran resisted tying the use of intrusion capabilities to the framework of responsible state behaviour, warning that this might make the framework seem legally binding and blur the line between voluntary norms and law. Israel further argued that when used in line with the UN framework, such tools should not be seen as threats to international peace.  Some states (South Africa, Australia, Pakistan, France) supported the idea of safeguards and oversight mechanisms, but others (Iran) noted these had not been fully discussed and could be addressed later. Meanwhile, Russia questioned whether the use of commercial intrusion tools for unauthorised access could ever truly align with international law, proposing to delete such references entirely.

Emerging technologies: Risks vs opportunities

Debates around emerging technologies reflected a split between states advocating for proactive recognition of risks and those cautioning against overemphasis. Many countries—especially from the Global South (Indonesia, Qatar, Singapore, Thailand, Colombia, Fiji, the African Group)—called for attention to the security implications of AI, IoT, cloud computing, and quantum technologies. They highlighted the dual-use nature of these tools, particularly AI-generated malware, deepfakes, and synthetic content, and stressed that such technologies are already being misused in ways that could threaten international peace (as noted by Indonesia and Mauritius). In contrast, tech-leading states like the USA and Israel warned against placing disproportionate focus on risks, arguing it could overshadow opportunities. The EU, meanwhile, urged caution to avoid duplicating work done in other forums, particularly on AI.

In practical terms, many states (Canada, UK, El Salvador, Pakistan) supported the deployment of post-quantum cryptographic solutions, though others (Russia) considered such steps premature. There was also strong support (UK, Canada, Malaysia, Qatar, Fiji) for naming specific emerging infrastructures—like 5G, IoT, VPNs, routers, and even data centres and managed service providers—as relevant to security discussions. Malaysia highlighted the need for changing the language related to technologies to terms that are also understandable to technical communities – a useful reminder that these processes shouldn’t be left to diplomats alone. Still, some states (Russia, the USA, Israel) pushed to streamline or remove these references, citing concerns over technical detail and the need for broader consensus. The question of whether technologies are neutral sparked philosophical disagreement—Cuba and Nicaragua said no; Switzerland reminded that the agreed language in the third APR from 2024 (par.22) says yes.

New emphasis: Data, disinformation, and supply chain security

The growing strategic importance of data governance was emphasised by several states. Türkiye called for stronger protections around cross-border data flows, personal data, and mechanisms to prevent the misuse of sensitive information, highlighting the need to integrate data security into broader risk management frameworks. Mauritius linked data and responsible innovation, while China reiterated its long-standing proposal for a global data security initiative that could guide international cooperation in this domain.

Disinformation—particularly the use of deepfakes and manipulated content to destabilise institutions—was raised as an urgent and evolving threat. The African Group, represented by Nigeria, emphasised its damaging impact on post-conflict recovery and political transitions, especially in fragile states. Egypt echoed this concern, warning that misinformation campaigns disproportionately affect developing countries, increasing their risk of relapse into instability. China added concerns about the politicisation of disinformation, especially in the context of attributing cyber incidents.

On supply chain security, states agreed about the importance of adopting a security-by-design approach throughout the ICT lifecycle. The proponent, Ghana – supported by Colombia, the UK, and Fiji – stressed this as a baseline measure to address vulnerabilities. Türkiye added that global standards and best practices must be matched by practical implementation frameworks that consider varying national capacities and promote trust across jurisdictions.

Partnerships and cooperation: Making cybersecurity work in practice

The OEWG discussions underscored strong support for enhancing public-private partnerships (PPP) and the role of CERT-to-CERT cooperation as practical tools in addressing cyber threats. A wide range of states—the EU, Canada, Indonesia, Ghana, Singapore, Malawi, Malaysia, Fiji, and Colombia—welcomed explicit recognition of these mechanisms. Several countries (e.g. Mauritius, Thailand) stressed the growing importance of cross-regional cooperation, particularly as cyber threats increasingly affect privately owned infrastructure and cross-border systems. The EU called for greater multidisciplinary dialogue among technical, legal, and diplomatic experts.

Switzerland and Colombia emphasised the role of regional organisations as facilitators for implementing the global framework. Singapore offered the newly established ASEAN regional CERT and information-sharing mechanism as a model. 

While many acknowledged the expanding role of the private sector, Türkiye noted that its responsibilities remain insufficiently defined, suggesting further dialogue is needed to clarify how private actors can contribute to addressing systemic vulnerabilities and managing major incidents. Türkiye also suggested the UN Technology Bank to support cybersecurity capacity building for least developed countries (LDCs) as part of broader digital transformation efforts and promoting secure digital development.

The outcomes

The final document reflects several negotiated compromises. The aspiration to promote ICTs for exclusively peaceful purposes was softened by removing ‘exclusively,’ while a new reference acknowledges the need to use ICTs in a manner consistent with international law (para. 15). Criminal activities ‘could potentially’ impact international peace and security (para. 16). A specific list of critical infrastructure was removed, but protection of cross-border CI is newly emphasized (para. 17), along with the inclusion of security-by-design in the context of vulnerabilities and supply chains (para. 23). Ransomware remains mentioned (para. 24), though a dedicated paragraph was not added. Concerns over commercially available intrusion tools are retained, calling for ‘meaningful action’ and use consistent with international law (para. 25). Risks from emerging technologies are underlined with adjusted specific terminology (para. 20), while the paragraph on AI and quantum (para. 26) was shortened, though still references LLMs and quantum cryptography. A previous reference stating that ICT use ‘in a manner inconsistent with the framework … undermines international peace and security, trust and stability’ was removed.

The central debate, as it was at earlier sessions, revolved around whether the OEWG should prioritise developing new norms or focus on implementing the agreed voluntary, non-binding norms. The Voluntary Checklist of Pratical Actions was also discussed.

Implementation and operationalisation: The priority for many

Many Western and like-minded states stressed the implementation of norms. In particular, the Republic of Korea underlined the importance of focusing on implementing and operationalising existing norms rather than creating new ones. The USA, the Netherlands, Canada, and others expressed concern about placing undue emphasis on developing additional norms and advocated for removing paragraphs 34R and 36 of Rev.1. The EU maintained that decisions on developing new norms should be left to the future permanent mechanism, and called for more attention to norms implementation and capacity building.

Several developing countries supported this focus but noted capacity constraints. Fiji, speaking on behalf of the Pacific Islands Forum, noted the different stages of norms operationalisation among members and cautioned against moving forward with new norms without consensus or a clear gap analysis. Ghana welcomed a whole-of-government approach to the implementation, but also stressed the need to raise awareness of these norms at the national level. 

Work on new norms: A red line for some

In contrast, another group of states advocated for continued work on new norms. Russia argued there was a biased reflection favouring norms implementation and insisted on language supporting the development of legally binding measures, highlighting the initially agreed mandate for the UN OEWG. Iran warned that removing subparagraphs in paragraph 34 as well as paragraph 36 would undermine the section’s overall balance. 

China called for a balance between norms and international law and proposed to delete paragraph 34H, arguing it was not balanced as it focused only on non-state actors and commercially available ICT intrusion capabilities while ignoring states as the major source of threat. China noted that countries that support the retention of paragraph 34H are countries that are opposing the creation of new norms, also commenting on perceived inconsistency among those opposing the creation of new norms while advocating for implementation. In the final report, the wording was adjusted (in paragraph 34F) to reference both state and non-state actors. 

Walking the middle path on norms development

In the meantime, some countries attempted to take the middle ground. Singapore supported implementing existing norms while leaving space for new ones, noting that implementation is necessary to understand what new norms are needed. Indonesia expressed a similar view.

Voluntary Checklist of Practical Actions: Deferred 

The Voluntary Checklist of Practical Actions received broad support with some exceptions. While the UK called it a valuable output of the OEWG, and Ireland described it as an effective capacity-building tool, Russia and Iran opposed its adoption as it was formulated in paragraph 37 of Rev. 1, arguing it had not been fully discussed and should be deferred to the future mechanism.

At the same time, some additional proposals were shared, for example, Cameroon called for a working group on accountability for attacks on critical health infrastructure, while China reminded of the data security initiative and broader data security measures.

The outcome

In the Final Report, paragraph 34 and its subparagraphs were significantly condensed. Detailed proposals in Rev.1 were reduced to a shorter list (34a–h). Technical specifics, such as templates and gender considerations, were simplified or removed. While Rev.1 stated that developing new norms and implementing existing ones were not mutually exclusive and recommended compiling and circulating a non-exhaustive list of proposals in this context, the Final Report significantly softened this language. It retained the idea that additional norms could emerge in paragraph 36d but excluded it from recommendations. The checklist, initially proposed for adoption, has been reworded and is now for continued discussion (Recommendation 38 in the Final report).

The international law section of the Final report reflects the prevailing splits between the states on the need for new binding norms, the applicability of international human rights law and humanitarian law, resulting in a consensus text that fails to reflect the depth and richness of discussions on international law in the past five years. 

The UN Charter: Applicability reaffirmed

Looking in detail, states reaffirmed that international law, in particular the UN Charter applies is applicable and essential to maintaining peace, security and stability and promoting an open, secure, stable, accessible and peaceful ICT environment. Building on the previous work captured in the Annual Reports, the states reaffirmed principles of state sovereignty and sovereign equality (based on the territorial principle), as well as Art. 2(3) and Art. 33(1) of the UN Charter on the pacific settlement of disputes. The reference to Art. 33 (1) has been included in the text despite the request of Iran to remove it, as in their opinion, it lacks consensus and reflects divergence between states.  

Further, the states reaffirmed the Art 2 (4) of the UN Charter on the prohibition of the threat or use of force and the principle of non-intervention. The definition of what may constitute the use of force from Zero Draft (‘An ICT operation may constitute a use of force when its scale and effects are comparable to non-ICT operations rising to the level of a use of force’) supported by the EU, Finland, Italy, Netherlands, Korea, United Kingdom, Australia, and others was taken out, ceding to the requests of Russia, Cuba, Iran, and others.

IHRL and IL: Contentious and omitted 

While the Final report states that the discussions on international law deepened, two topics have not found their place in the text – international human rights law and international humanitarian law. Despite the strong push by the EU, Australia, Switzerland, France, Chile, Colombia, the Dominican Republic, Ecuador, Egypt, El Salvador, Estonia, Fiji, Kiribati, Moldova, the Netherlands, Papua New Guinea, Thailand, Vanuatu, Uruguay, Vietnam, Japan, Nigeria on behalf of the African Group and many others who supported the inclusion of references to the applicability of international human rights law and humanitarian law as part of the consensus in the Final report. Brazil, Canada, Chile, Colombia, the Czech Republic, Estonia, Germany, the Netherlands, Mexico, the Republic of Korea, Senegal, Sweden, and Switzerland provided statements that referred explicitly to the applicability of international humanitarian law and its principles to be included in the Final Report. Many have mentioned the depth of work in this area, as well as the Resolution on Protection of Civilians of the 34th Conference of the Red Cross and Red Crescent Movement, a consensus document. On the other hand, Russia considered that the work on the protection of civilians was not consensus-based, and Belarus, Venezuela, Burkina Faso, the Democratic People’s Republic of Korea, Iran, China, Cuba, Nicaragua, Russia, and Eritrea considered the applicability of international humanitarian law a contentious topic on which there is a clear disagreement.

Additional binding obligations: The door is open

The Final Report keeps the door open for discussions on the possibility of future elaboration of additional binding obligations, if appropriate, and the development of additional legally-binding obligations. In its statement on the Final Report, Russia is already pushing for the Global Mechanism to focus, among other issues, on developing new legally binding norms in the field of digital security. 

What’s missing?

The Final Report does not include references to a variety of resources that could have been the basis for discussions in the future process, from the above mentioned ICRC report, to the Common African Position, the Declaration by the European Union and its member states on a Common Understanding of the Application of International Law to Cyberspace, Updated concept for a convention of the UN on ensuring international information security (by Belarus, the Democratic People’s Republic of Korea, Nicaragua, Russia and Syria), as well as Working Paper on the Application of international humanitarian law to the use of information and communication technologies in situations of armed conflicts by Brazil, Canada, Chile, Colombia, the Czech Republic, Estonia, Germany, the Netherlands, Mexico, the Republic of Korea, Senegal, Sweden and Switzerland and the working paper Working Paper on the application of international law in the use of ICTs: areas of convergence outlining proposed text for inclusion in the 2025 Final Report international law section by Australia, Chile, Colombia, the Dominican Republic, Ecuador, Egypt, El Salvador, Estonia, Fiji, Germany, Kiribati, Moldova, the Netherlands, Papua New Guinea, Romania, Thailand, Uruguay, Vanuatu, and Viet Nam.

The bottom line

The recommendations for the Global Mechanism in relation to the subject matter of international law reiterate further discussions on how international law applies, pushing the divides in this area into the future. The main achievement in the international law section, according to the Final Report, is the voluntary exchanges of national positions and the commitment to increased capacity building in this area, which was highlighted by the small and developing countries.

Echoing previous sessions, there was broad recognition of capacity building’s foundational role in implementing norms, fostering international legal dialogue, and reinforcing confidence-building measures. Yet, as the final OEWG session unfolded, this familiar consensus was accompanied by a renewed urgency to move beyond conceptual alignment. Action-oriented capacity building became a recurring buzzword, capturing the shared ambition to shift from declaratory commitments toward concrete, needs-based mechanisms. This convergence created early momentum for advancing capacity building structures. Still, despite alignment on principles, the pathway to operationalisation remained fractured along critical lines.

What role for the UN?

During negotiations, two opposing positions reflected fundamentally different priorities: Western states emphasised flexibility and minimal commitments, while many developing countries viewed the early operationalisation of capacity building as essential to anchoring the future mechanism in tangible delivery and ensuring it addresses the digital divide. At one end of the spectrum, the USA opposed all new CB mechanisms and rejected any operational role for the UN, citing its ongoing financial crisis. France and Canada adopted a more cautious stance, advocating a step-by-step approach centred on mature initiatives and warning against the premature creation of new structures. 

In contrast, countries such as Nigeria (on behalf of the African Group), Tunisia (on behalf of the Arab Group), Brazil, Iran, and Egypt called for a more active UN role, supported by predictable and well-resourced mechanisms, including calls to include more concrete language on the operationalisation of a UN Voluntary Fund. Consistent with this approach, the African Group, Latin American states, and others backed the creation of a Dedicated Thematic Group (DTG) on CB within the permanent mechanism to ensure coordination, needs mapping, implementation tracking, and inclusive participation, functions they feared would be sidelined if CB remained a merely cross-cutting issue. The USA and Canada opposed this, arguing that issue-specific groups risked bureaucratic redundancy and inefficiency.

The outcome

The final outcome reflects a carefully negotiated compromise: it advances the institutional scaffolding of the future mechanism but falls short of the ambitions expressed by many developing states. The agreement to establish a DTG on capacity building stands out as a meaningful step, providing formal recognition of CB as a core pillar. 

Yet, substantive elements, particularly related to funding, were left unresolved. The UN-run Global ICT Security Cooperation and Capacity-Building Portal (GSCCP) will proceed through a modular, step-by-step development model, and roundtables will continue to promote coordination and information exchange. However, proposals for a UN Voluntary Fund and a fellowship program were deferred, with references downgraded to non-binding language and postponed for further consideration. 

While the framework reflects principles of gradualism and inclusivity, it also exposes the limits of consensus: Western states succeeded in prioritising flexibility and minimal commitments, while developing countries, especially those from the Arab and African Groups, voiced frustration that the outcome lacked the concrete, adequately resourced mechanisms needed to close enduring digital divides. Without progress on predictable funding and operational tools, they warned, the credibility and effectiveness of the DGT group on CB risks would be undermined from the outset.

CBMs have been one of the main areas of progress in recent years within the OEWG process. However, the discussions during the most recent session were notably subdued. 

New CBMs: Overcommitting or not?

A few new proposals were tabled. Indeed, a clear—and by now long-standing—consensus has emerged among several delegations, including the EU, Canada, the Netherlands, Ukraine, New Zealand, Australia, and the USA, that the OEWG’s final report should avoid overcommitting to new CBMs.

This position was the principal counterpoint to Iran’s longstanding proposal for a new CBM aimed at ensuring unhindered access to a secure ICT market for all states. Although this proposal did not gain significant traction in earlier discussions, it became a central point of contention during the latest round of negotiations. States such as Brazil and El Salvador expressed support for retaining this reference, but others—including the Netherlands, the USA, New Zealand, Australia, and Switzerland—firmly rejected its inclusion, citing both the absence of consensus and the need to prioritise the implementation of the eight CBMs agreed under the OEWG framework. Switzerland proposed relocating this reference to the capacity-building section, where states could voluntarily provide others with ICT tools to strengthen capacity. 

The standardised template for communication: First time discussed in the plenary

First circulated in April 2025, the standardised template developed by the Secretariat had not yet been discussed in plenary. Some delegations—notably Qatar and the Republic of Korea—expressed their preference to keep the template flexible and voluntary. Thailand proposed enhancing the template by incorporating elements such as urgency and confidentiality to help states identify operational needs in sensitive contexts. Nevertheless, the proposal received a lukewarm reception from the EU and the Netherlands, with the latter calling for its removal from the final report. 

Responsible reporting of ICT vulnerabilities, norm J)

A final point of contention that was excluded from the final report concerned the inclusion of norm J), which pertains to the responsible reporting of ICT vulnerabilities, under the CBM section. While El Salvador supported its inclusion, the Netherlands, the EU, and Israel strongly opposed this characterisation. The Netherlands questioned the logic of singling out this particular norm over others, while Israel argued that this issue had not been substantively deliberated and therefore should not appear under the CBM heading.

The result

While Iran’s proposal did not make it onto the formal list of CBMs, it remains referenced in the final report for potential consideration within the future permanent mechanism. Although it was initially the Chair’s ambition to include the standardised template of communication, it ultimately was not retained. Norm J) was not included in the CBMs section.

Thematic groups: Debating the design

One of the most significant debates during the session centred on the thematic groups to be established under the future mechanism. These groups were originally conceived as a means to allow delegations to deepen discussions on key issues. However, countries quickly ran into a stumbling block: how many thematic groups should there be, and what topics should they cover? While views varied, the vast majority of states, as well as the Chair, agreed that this was a matter that had to be resolved during this final substantive session of the OEWG. Deferring the decision to the future global mechanism, they warned, would risk unnecessary delays in getting the new process off the ground.

Zero Draft: The starting point for negotiations

Chair’s Zero Draft proposal was the basis for the beginning of discussions on this issue. His initial proposal was 3 DTGs:

• The first would focus on action-oriented measures to enhance state resilience and ICT security, protecting critical infrastructure, and promoting cooperative action to address threats in the ICT environment. (DTG1)
• The second group would continue the discussions on how international law applies to the use of ICTs in the context of international security. (DTG2)
• The third group would address capacity-building in the use of ICTs, with an emphasis on accelerating practical support and convening the Global Roundtable on ICT security capacity-building on a regular basis. (DTG3)

This proposal is what the states discussed Monday through Wednesday. A number of states, for instance, Nigeria, Senegal, South Africa, Thailand, Colombia, Cote d’Ivoire, Indonesia, Brazil, El Salvador, Botswana, expressed support for the creation of the three proposed DTGs. Some countries suggested minor changes, for example, Indonesia suggested that DTG1 can be streamlined to resilience and ICT security of states. South Africa suggested that clearly showing how time will be divided among the group’s workstreams in the illustrative timeline would be very helpful.

However, a number of countries were against DTG1. Nicaragua noted that the scope and approach of DTG1 are not clear, and that greater discussion is needed. Iran similarly noted that the mandate of DTG1 remains vague and overly complex and therefore requires further strengthening and clarification in line with the pillars of the OEWG. China cited the use of vague terms like ‘resilience’ that could undermine the OEWG’s agreed framework. Russia cautioned that the discussion of the three pillars of the mandate within the same group may be challenging. Russia also stated that norms and CBMs deserve separate groups. Nicaragua suggested establishing a separate thematic group on norms. South Africa was in favour of a DTG2 that would discuss norms in addition to international law. Belarus suggested a thematic group on standards and on CBMs.

DTG2 was much debated. A number of countries were in favour, for various reasons. For instance, Switzerland and Mauritius noted that such a group should discuss how existing international law applies in cyberspace. Mexico highlighted that states need to have a permanent space in which to review, when appropriate, their compatibility with the existing legal framework. Thailand noted that this group will enable focused and sustained discussion, including on related capacity building, aimed at bridging legal and technical gaps and promoting more inclusive participation by states on this specialised topic. On the other hand, Zimbabwe noted that the DTG could help elaborate a comprehensive legal instrument to codify the applicable rules and principles governing state conduct in cyberspace. 

However, various reasons against establishing DTG2 were also brought up. The EU emphasised that the OEWG’s five pillars are interdependent, and isolating one—such as international law—risks siloed, incoherent outcomes. Australia, Romania and Estonia echoed this view, arguing that international law should be addressed through cross-cutting DTGs. In China’s view, DTG 2 undermines the balance between norms and international law. 

The USA opposed DTG2, citing that some states have already affirmed that they will seek to use conversations in the international law DTG to advance new legally binding obligations contrary to the consensus spirit of the OEWG.

However, seemingly in response, Egypt stated that states should not preempt the discussions in DTGs. It stressed that the groups are intended for open dialogue, as has been the practice over the past four years, without any predetermined conclusions. Egypt underlined that, according to Paragraph 15 of the OEWG report, any recommendations emerging from the DTGs will remain draft and subject to consensus-based decision-making.

Much support was expressed for DTG3. Nigeria, on behalf of the African Group, said the group would offer a focused platform to strengthen developing countries and bridge the digital gap. Paraguay supported a specialised working group to facilitate national efforts in policy development and information exchange. Mexico emphasised that the DTG could help develop action-oriented recommendations, map needs and resources, follow up on implementation, coordinate with the global roundtable, and promote diversity and inclusion. El Salvador highlighted the importance of the DTG for Central America, noting it should not be limited to financing but also cover technical assistance and knowledge exchange. Botswana noted that the DTG will assist states in organising national cybersecurity efforts, developing policy frameworks, protecting critical and information infrastructures, implementing existing voluntary norms, and formulating national positions on the applicability of international law in cyberspace. Uruguay noted that DTG would go beyond training to identify specific needs and ensure targeted support, allowing for a more comprehensive approach to capacity building.

Indonesia said the group should focus on CBMs, technical training, capacity needs of developing countries, and strengthening initiatives like the Global PoC Directory and the new Global ICT Security Cooperation and Capacity Building Portal. South Africa suggested that discussions on CBMs could be placed under this DTG instead of DTG1, if states agreed. 

France’s detailed proposal was highly regarded by many delegations, such as Australia, the USA, Finland, Switzerland, Italy, South Korea, Denmark, Japan, Canada, Sweden, Romania, and Estonia. This proposal, regarded as an honest bridging proposal, suggested three thematic groups, which would draw on the pillars of the framework for responsible State behaviour in the use of ICT. They would consider, in an integrated, policy-oriented and cross-cutting manner, action-oriented measures to:

• Increase the resilience and ICT security of states, including the protection of critical infrastructure, with a focus on capacity-building in the use of ICTs in the context of international security, and to convene the dedicated Global Roundtable on ICT security capacity-building (DTG1)
• Enhance concrete actions and cooperative measures to address ICT threats and to promote an open, secure, stable, accessible and peaceful ICT environment, including to continue the further development and operationalisation of the Global POC Directory (DTG2)
• Promote maintaining peace, security and stability in the ICT environment (DTG3)

Australia noted that the proposal explicitly draws on the five pillars of the framework in each dedicated thematic group. Australia, the USA, Switzerland, and Estonia noted that the proposal is action-oriented. Per South Korea, the proposal would allow for more practical and integrated discussion. 

Rev 2: Down to DTG1 and DTG2

However, the Chair’s Rev2 brought significant changes to DTGs. It suggested:

• An integrated, policy-oriented and cross-cutting dedicated thematic group drawing on the five pillars of the framework to address specific challenges in the sphere of ICT security in the context of international security in order to promote an open, secure, stable, accessible, peaceful, and interoperable ICT environment, with the participation of, inter alia, technical experts and other stakeholders. (DTG 1) 

• An integrated, policy-oriented and cross-cutting dedicated thematic group drawing on the five pillars of the framework to accelerate the delivery of ICT security capacity-building, with the participation of, inter alia, capacity-building experts, practitioners, and other stakeholders. (DTG 2)

DTG1 was not met with much enthusiasm. Ghana noted that the DTG1 lacks clarity on how the various focus areas will be discussed and effectively distributed within the allocated time frame. Russia also noted that it is unclear what exactly the group will work on. Nicaragua noted that the group’s scope is overstretched, while El Salvador warned against excessive generalisation of discussions. Nicaragua and Russia noted the risks of duplication of discussions in the DTG1 and the plenary sessions. France and the USA regretted the removal of language around cooperation, resilience, and stability.

Delegations made a few suggestions to improve DTG1. Canada called for clearer language and a focus on critical infrastructure. Ghana suggested that either a clearer framework for the internal distribution of time among the focus areas be established, or the OEWG revert to the three DTGs suggested in Rev1. Nicaragua suggested that the OEWG establish the DTG2 on capacity building and defer the decision on other possible DTGs to the organisational session of the future permanent mechanism in March 2026. 

A small number of countries, namely Indonesia, Turkiye, the Philippines, Ukraine, and Pakistan, accepted the new DTG1 as outlined in Rev 2. 

A number of countries expressed regret at the removal of the DTG on international law. Among them were Nigeria on behalf of the African Group, Egypt, Colombia, El Salvador, Russia, Brazil, and Mauritius. However, this group did not make it into the Final report. Brazil, for instance, noted that it will be difficult to ensure the meaningful participation of legal experts when the issue of international law is so diluted in DTG 1’s overly broad mandate. Egypt stated that the group on international law, along with the group on capacity building, were the source of balance vis-a-vis DTG1 and its everything, everywhere, all at once approach. Tunisia, on behalf of the Arab Group, noted that it will ask the chair of the mechanism to hold a conference on the application of international law, while Egypt was in favour of a roundtable. 

DTG2 on capacity building, which was widely supported as DTG3 while countries were still discussing Rev1, wasn’t much discussed as it seemed countries were in favour of establishing it. Canada called for a clear link and no duplication between the global roundtable on capacity building on capacity building and DTG2. France and Australia suggested that DTG2 be responsible for organising the global roundtable on capacity building as well as its follow-up.  Costa Rica emphasised the need to include more operational detail, such as identifying, planning, and implementing capacity building, as well as improving the connection between providers and recipients. However, Egypt stressed that without concrete steps—such as establishing a UN-led capacity building vehicle, activating the Voluntary Fund and Sponsorship Program, and ensuring predictable resources—the DTG2 discussions would fall short of their potential and risk undermining the credibility of the new mechanism.

Additional ad hoc groups

Thailand, Côte d’Ivoire, South Africa, and Colombia supported the idea of creating additional ad hoc dedicated thematic groups with a fixed duration to engage in focused discussions on specific issues as necessary, while Iran noted that such groups must be created by consensus. Australia opposed ad hoc groups, noting that they could create additional uncertainties and potential burdens for smaller delegations. 

Multistakeholder engagement in UN cyber dialogue: An old issue persistently on the agenda

Should a state be able to object to an MSH participating in the OEWG? Opinions are divided.

Answer A: Yes, the principle of non-objection must be observed

A group of states is saying YES. Türkiye, Iran, Nigeria on behalf of the African Group, China, Zimbabwe, Nicaragua, Tunisia on behalf of the Arab Group, Indonesia, Egypt, Nicaragua, Russia, and Cuba advocated for keeping the current modalities of stakeholder engagement. Per these modalities, ECOSOC-accredited stakeholders may attend formal OEWG meetings without addressing them, speak during a dedicated stakeholder session, and submit written inputs for the OEWG website. Other relevant stakeholders may also apply by providing information on their purpose and activities; they may be invited to participate as observers, subject to a non-objection process. A state may object to the accreditation of specific non-ECOSOC-accredited organisations, and must notify the OEWG Chair that it is objecting. The state may, on a voluntary basis, share with the Chair the general basis of its objections.

Iran supported the proposal made by Russia during the town hall consultations to empower the chair and the secretariat of the future permanent mechanism to assess the relevance of ECOSOC-accredited NGOs that have applied to participate in the mechanism and to inform the state of the outcome of such assessment. Egypt stated that it does not see merits in the additional consultative layers that will overload the chairperson of the future permanent mechanism without necessarily resolving any potential divergence of views.

China questioned the push for increased NGO participation when member state concerns remain unresolved and highlighted the issue of inappropriate remarks by states, raising doubts about ensuring appropriate NGO contributions.

This group of states does not want experts participating in DTGs. Russia and Nicaragua noted that the DTGs are to provide a platform for dialogue, specifically for government experts. Iran stated that, given that technical experts from states will participate in the thematic groups and will engage in technical rather than political or diplomatic discussions, the expert briefings, as well as the participation of other stakeholders in DTGs, don’t offer additional value and could therefore be deleted. 

Answer B: No, multistakeholder participation cannot be limited

Their much different position is outlined in the paper titled ‘Practical Modalities for Stakeholders’ Participation and Accreditation Future UN Mechanism on Cybersecurity,’ co-ordinated by Chile and Canada and supported by 42 states. 

This group notes that a state may object to the accreditation of specific non-ECOSOC-accredited organisations. However, the notice of intention to object shall be made in writing and include, separately for each organisation, a detailed rationale for such objection(s). One week after the objection period ends, the Secretariat will publish two lists: one of accredited organisations and another of those with objections, including the objecting state(s) and their reasons. These lists will be made public. At the next substantive plenary session, any state that filed an objection may formally oppose the accreditation. If the Chair considers that every effort to reach an agreement by consensus has been exhausted, a majority vote of members present and voting may be held to decide on the contested accreditations, following the Rules of Procedure of the UN General Assembly.

This group has also proposed broader participation rights for stakeholders in the future mechanism. Their proposal includes:

• Allowing stakeholders to deliver oral statements and participate remotely in plenary sessions, thematic groups, and review sessions.
• Permitting non-accredited stakeholders to attend plenary sessions silently.
• Granting the Chair (or Vice Chairs) the authority to organise technical briefings by stakeholders and states during key sessions, ensuring geographic balance and gender parity, and fostering two-way interaction.
• Enabling Chairs (or Vice Chairs) of thematic groups to invite stakeholders to submit written reports, give presentations, and provide other forms of support.

The proposal, its proponents believe, is a fair and practical way to enhance stakeholder participation in the future mechanism by promoting transparency and inclusiveness.

Answer C: Yes, but!

The Chair’s proposal tried to bridge these two positions. If a member state objects to accrediting a stakeholder, it must inform the Chair and may voluntarily share the general reason for the objection. The Chair will then consult informally with all member states for up to three months to try to resolve the concern and facilitate accreditation. After the consultations, if a consensus has been reached, the Chair may propose to the Global Mechanism to confirm the accreditation. If consensus is not yet possible, the Chair will continue informal consultations as appropriate. Therefore, this proposal contains the principle of objection, but that can also be revoked.

Accredited stakeholders will be able to attend key sessions, submit written inputs, and deliver oral statements during dedicated stakeholder sessions. They may also speak after member states at substantive plenary sessions and review conferences, time permitting and at the Chair’s discretion. The Chair will also hold informal or virtual meetings with stakeholders during intersessional periods. Participation is consultative only—stakeholders would engage in a technical and objective manner, and their contributions ‘shall remain apolitical in nature’. Negotiation and decision-making are exclusive prerogatives of member states.

What’s in a name?

Towards the end of the session, another disagreement popped up: the future permanent mechanism’s very name.

While France suggested that the future mechanism should ‘advance responsible state behavior’, a proposal that had quite some proponents, Iran and Russia, for instance, insisted on using ‘security of and in the use of ICT’, terminology used in the OEWG’s name. 

The outcomes

The final report confirms the establishment of DTG 1 on specific challenges and DTG 2 on capacity building, as outlined in Rev2. The final report acknowledges the possibility of establishing additional ad-hoc dedicated thematic groups. 

The Chair’s proposed modalities were adopted as part of the Final report. Nicaragua, Belarus, Venezuela, China, Cuba, Eritrea, Iran, Niger, Russia, Sudan, and Zimbabwe welcomed that accredited stakeholders will participate on a non-objection basis and obtain a solely consultative status, highlighting that the future permanent mechanism is strictly an intergovernmental process. 

This division on names resulted in the rather unwieldy name of the future permanent mechanism: ‘Global Mechanism on developments in the field of ICTs in the context of international security and advancing responsible State behaviour in the use of ICTs’.